The signed pipelines feature is a verification system that determines which pipelines/steps generated a specific artifact. It provides users with a way to ensure that their artifacts have not been tampered with before these artifacts are promoted through the CI/CD workflow. The signing process creates trust, and provides a way to validate the immutability of the artifacts and the authenticity of packages. This means, if the authenticity of artifacts cannot be verified, they can be blocked.
In addition, the signed pipelines feature builds comprehensive metadata, called pipeinfo. This provides complete visibility and audit for each step and run, which can be viewed in the UI.
Note
The signed pipelines feature is available with Enterprise+ license only.
The signed pipelines feature is available for buildinfo and Go binaries only.
The signed pipelines feature is enabled by default. To disable this feature, in the Core Services Configurations section in the Pipelines System YAML, set the
signedPipelinesEnabled
tag asfalse
.
Signing Process
During the signing process of a pipeline:
A run key is generated for every run of the pipeline.
During the run, all artifacts (
pipeInfo.json
) are signed with the private key.The private key is discarded at the end of the run.
Metadata for the run that generated the artifact is stored as a tag for the artifact.
During the verification stage, a public key is used to verify the signature.
For each run, files containing comprehensive metadata (*.json) and corresponding signature files (*.json.sig) are uploaded to Artifactory. This provides a way to trace the entire path of a pipeline. Now any process that needs to verify can verify this in addition to cross-referencing the pipeInfo.
Pipe-Info Repository
The Pipe-Info repository, like the Build-Info Repository, is a local repository that is created per Project and stores all the metadata for each pipeline.
Whenever Pipelines uploads a new build to Artifactory, its pipeinfo json files are automatically deployed to either the default artifactory-pipe-info repository or the <project_key>-pipe-info repository. Pipeline artifacts that do not belong to any Project are stored in the artifactory-pipe-info repository and pipeline artifacts that belong to specific Projects are stored in the <project_key>-pipe-info repository.
Viewing pipe-info Repository
To view the pipe-info repository, from the Application module, click Artifactory | Artifacts and then click the artifactory-pipe-info repository.
Artifactory automatically places the json files in the pipe-info repository using the following structure: [pipeline-name] → [branch] → [run-rumber] → [pipe-info files].
The JSON schema defines a pipeinfo object. The object is composed of three components, which summarizes a run:
head.json
: Contains metadata about the pipeline, and the contents of the pipeline yaml file.info.json
: Contains metadata about the status of the run.step.json
: Contains metadata about the step.
Each .json
file is stored with a corresponding .json.sig
signature file. To view the contents ofa json file, right-click the file and click View, as shown in the image above.